Data protection regulator confirms sensitive information was leaked
Turkish flight operator Pegasus Airlines has suffered a data breach after an AWS cloud storage bucket was reportedly left unprotected.
The Electronic Flight Bag (EFB) information belonging to an unknown number of customers was reportedly stored in the open bucket, allowing access to sensitive information.
Turkey’s data protection agency has since confirmed that a leak has happened after it received a data breach notification from the company.
The statement from Kişisel Verileri Koruma Kurumu (Turkey’s Personal Data Protection Authority) confirmed that there was unauthorized access to certain information held by Pegasus.
A vulnerability that allowed the access was discovered on March 21, according to regulators, and was resolved on March 24.
According to the regulator, leaked information includes the names, surnames, phone numbers, e-mail addresses, titles, flight information of past journeys, flight locations, and photographs and signature images of some employees.
According to Safety Detectives, which disclosed the breach, almost 23 million files were found on the bucket, totaling around 6.5 TB of data.
A blog post reads: “The bucket’s information was linked to an EFB software developed by PegasusEFB that pilots use for aircraft navigation, takeoff/landing, refueling, safety procedures, and various other in-flight processes.
“PegasusEFB’s open bucket left data including flight charts, navigation materials, and crew PII accessible to anyone.
“The bucket also exposed the EFB software’s source code, which contained plain-text passwords and secret keys that someone could use to tamper with extra-sensitive files.”
Read more of the latest news about data breaches
“This exposure could impact the safety of every Pegasus passenger and crew member around the world,” according to researchers. “Affiliated airlines that are using PegasusEFB could also be affected.”
According to regulator, an investigation into the incident is ongoing. The Daily Swig has reached out to Pegasus Airlines for more information and will update this article accordingly.
YOU MAY LIKE India to introduce six-hour data breach notification rule